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© Method and apparatus for memory efficient variants of public key encryption and Identification 
schemes for smart card applications. 



© Memory efficient variants of public key encryption and identification schemes for smart card applications 
with severely limited RAM without using dedicated coprocessors. The variants replace the memory-intensive 
modular multiplication operation z = x*y (mod n) by a new randomized multiplication operation z' = x"y + r*n, 
where r is a randomly chosen integer in a suitable range [0,b], and a double convolution process to compute z'is 
used. Method and apparatus are described. 
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Held of the Invention 

The invention relates to a method and an apparatus for public key encryption and identification 
schemes for smart card applications. 

5 

Background of the Invention 

Almost all the public key encryption and identification schemes proposed so far are based on modular 

multiplications with a modulus n which is the product of two secret primes p and q. To make the 
w factorization of n difficult, it is necessary to use very large numbers. The minimum recommended size of n 

is currently 512 bits, but due to the explosive growth of computing power available to cryptanalysts, this 

minimum size is likely to increase to 1024 bits (and to even larger values for high security applications). 
In many communication and access control applications, it is desirable to use smart cards to carry out 

sensitive computations. Among the many reasons for this choice are the small physical size, the portability, 
75 the non-volatile memory, and the security offered by a single chip computer embedded in a plastic card. 

Millions of smart cards are used each year to make bank cards more secure, to control access to pay-TV, 

to carry billing information in cellular telephones, etc. 

The biggest limitation in today's smart cards is the small amount of random access memory (RAM) 

available in the card. The most popular smart card chip made by Motorola has 36 bytes of RAM, and the 
20 most popular smart card chip made by Thomson has 44 bytes of RAM. This should be compared with the 4 

million bytes of RAM available in a typical personal computer. 

Some algorithms can make use of other types of memory: A typical smart card contains several 

thousand bytes of ROM and several thousand bytes of EEPROM. ROM is unchangeable, and typically 

stores the program which controls the operation of the smart card. EEPROM is changeable, but writing into 
25 it is about one thousand times slower than writing into RAM and the number of times a bit can be rewritten 

cannot exceed 10,000. It is thus possible to use EEPROM to store slowly changing data such as 

cryptographic keys or the details of financial transactions, but not as a RAM substitute for intermediate 

values in a long computation. 

30 Summary of the Invention 

The present invention relates to a method and apparatus for modifying two of the most popular public 
key schemes (the Rabin encryption scheme and the Fiat-Shamir identification scheme) in order to make 
them suitable for smart cards with severely limited RAMs. The modified variants are as secure as the 
35 original variants, but they are so space-efficient that even the simplest 36 byte smart card can handle 
moduli n with thousands of bits without any difficulty. 

It is an object of the invention to provide a method and apparatus for a public key scheme for smart 
cards with severely limited RAM without using dedicated coprocessors. 

According to the present invention the novel memory efficient variants of public key encryption and 
40 identification schemes for smart card applications can be accomplished using as few as 36 bytes of RAM. A 
new randomized multiplication operation z* = x*y + r*n is used where r is a randomly chosen integer in a 
suitable range [0,b]. A double convolution process is used to compute z\ 

Brief Description of the Figures 

45 

Fig. 1 shows schematically a smart card as used in the invention. 

Fig. 2 shows schematically a memory efficient variant of a Rabin scheme as implemented in a smart 
card according to the invention. 

Fig. 3 shows schematically a memory efficient variant of a Fiat-Shamir scheme as implemented in a 
so smart card according to the invention. 

Detailed Description of the Preferred Embodiments 

First one considers the basic operation of multiplying two large numbers x and y which are already 
55 stored in a smart card 10 (e.g., in its EEPROM 12), see Fig. 1. The successive bytes of x and y are 

denoted by X| and yi (respectively) for l = o k-1, where the i-th byte is the least significant one. Smart card 

10 has a ROM 14, a RAM 16, a microprocessor chip 18 and the usual I/O 20. The result z = x*y cannot fit 
in the small RAM, but if it is the final result computed by the smart card, its successive bytes can be sent 



2 



EP 0 682 327 A2 



10 



15 



20 



25 



30 



35 



40 



45 



50 



out (rather than stored) as soon as they are generated. 

According to the present invention convolution is used for multiplying two k-byte numbers in Ofk 2 ) time 
with 0(log(k)) workspace. Start with c = 0. To compute the i-th byte of the result z for i = 0, 1, 2,...k-1, 
compute: 



for j = 0,1, 2,...i, send the least significant byte of t as z ( , and use the value of the other bytes of t as the 
new carry c. Note that for any x and y with up to half a million bits, t fits into 4 bytes, and thus the algorithm 
can be easily implemented even on the cheapest smart card with 36 bytes of RAM. 

Next the problem of computing z = x*y (mod n) is considered. By definition, z = x*y - w*n where 



(i.e., w is x*y/n truncated to the largest integer below it). Since z cannot be stored, it is not obvious how to 
carry out this division operation. One can try to generate the successive bytes of z by the convolution 
method, but in the division operation one would need these bytes from left to right, whereas the convolution 
computes them from right to left. Thus one would be forced to recalculate each byte of z a large number of 
times, and the cryptographic scheme becomes unacceptably slow. 

The new solution to this problem according to the invention is to replace the modular multiplication 
operation z = x*y - w*n where 



by a new randomized multiplication operation z' = x*y + r*n where r is a randomly chosen integer in a 
suitable range [0,b]. Such a z' can be easily computed by the following double convolution process: 

1. Set c = 0. 

2. For i = 0, 1 ,...k-1 compute: 



3. Send the low-order byte of t as z ( , and 

4. Set c to the number represented by the other bytes of t. 

Clearly, the value of z can be recovered from the value of z' by reducing z f modulo n, and thus there is 
no loss of information in sending z* instead of z. Now it will be shown that when b is a large enough public 
bound, there is no loss of cryptographic security in sending z' instead of z. Assume that there exists an 
attack against the cryptographic scheme which uses the knowledge of z* = x*y + r*n for a random r in [0,bj. 
These values define a probability space P\ We show that such an attack can also be based on the 
deterministic value of z = x*y - w*n. Given z, the cryptanaiyst can easily compute by himself another 
probability space P" defined by the values z" = z + u"n for a random u in [0,b]. By definition, z" = x"y + 
(u-w)*n. The only difference between P' and P" is that the range of coefficients of n is shifted by the 
unknown quantity w from [0,b] to [-w, b-w]. The probability that a random point in one range will fall outside 
the other is w/b. If x and y are in [0, n], and b is much larger than n, then this probability is negligible (e.g., 
when b is a power of 2 which is 64 bits longer than n, this probability is less than 2~ 6 *). Since P' and P" 
are statistically indistinguishable, any cryptanalytic attack will be equally successful over the two probability 
spaces. 

The only disadvantage of randomized multiplication with respect to modular multiplication is that the 
transmitted result is about twice as long. However, this adds only a negligible communication delay, and the 
recipient computer (which is usually a powerful PC or a network server) can immediately change z* to z 
before storing or processing it further. 
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In the next two sections is described how to use randomized multiplications in order to obtain space- 
efficient variants of the Rabin and Rat-Shamir cryptographic schemes. 

A Space-Efficient Variant of the Rabin Encryption Scheme 

5 

Rabin's public key scheme is used to establish a common secret key K between two parties, which can 
then be used to encrypt the actual message with a standard cryptosystem such as DES. K is usually the 
low order bits (56 in the case of DES) of a long number x in the range [0,n] chosen randomly by the 
sender. However, K can be defined as any other publicly known function of x. The sender then computes 

10 and sends z = x*x (mod n), and the recipient uses his knowledge of the factorization of n in order to 
compute the modular square root of z (mod n). A slight complication is that z yields four possible K f s, but 
this can be solved by known techniques. 

Referring now to Fig. 2 in the proposed new variant, K is sent by computing the randomized 
multiplication z* = x"x + r*n instead of the modular multiplication z = x*x (mod n). In the preferred 

75 implementation of the new variant, n (which is the product of two large primes p and q) is kept in EEPROM, 
see block 30. It is usually the public key of the organization which issues the cards to its employees and 
customers, and even small cards with one kilobyte of EEPROM can store an 8000 bit modulus. The 
numbers x and r are pseudo randomly generated from random secret seeds sx and sr (which are loaded 
into EEPROM when the card is issued) see block 32, a session counter v (which is incremented in 

20 EEPROM at the beginning of each communication session) see block 34, and a byte index j, see block 36. 
A convenient way of achieving this is to hash sx, v, and j into the j-th byte of x in session v, see block 38, 
and to hash sr, v, and j into the j-th byte of r in session v, see block 40. In this way it is possible to access 
individual bytes of x and r in any order without storing x and r anywhere, and thus it is possible for a prover 
to compute, see block 42, and send out the successive bytes of z', see block 44, by the double convolution 

25 method even when n has thousands of bits and the card has only 36 bytes of RAM. The successive bytes 
are received by a verifier, see block 46 and verification is effected, see block 48. 

A Space-Efficient Variant of the Flat-Shamir Identification Scheme 

30 The Rat-Shamir identification scheme is described in U.S. Patents Nos. 4,748,668 and 4,993,970, the 
disclosures of which are incorporated herein by reference. In this section we describe a novel space- 
efficient variant of this scheme which makes it possible to implement it on smart cards with very small 
RAMs. 

In the original Fiat-Shamir identification scheme, the smart card (known as the prover) contains in its 
35 EEPROM a public modulus n = p*q and a secret number c. The other party (known as the verifier) knows n 
and d = c*c (mod n). The smart card proves its identity to the verifier by using a zero knowledge protocol 
to demonstrate its knowledge of c. The proof consists of the following steps: 

1. The prover chooses a random number x, and sends z = x*x (mod n) to the verifier. 

2. The verifier sends a random bit to the prover. 

40 3. Based on the bit, the prover sends either x or x*c (mod n) to the verifier. 

4. Based on the bit, the verifier checks that the square of the received number is either z (mod n) or z*d 
(mod n). 

5. Steps 1-4 are repeated several times to reduce the probability of cheating. 

In the new space-efficient variant of the Fiat-Shamir scheme, the prover performs the same steps, but 
45 replaces the modular multiplications x*x (mod n) and x*c (mod n) by the randomized multiplications x*x + 
r*n and x*c + f n for pseudo-random r and t in [0,b], where b is substantially larger than n (e.g., by at least 
64 bits). As demonstrated above, these operations can be carried out with very small RAMs. 

Referring to Fig. 3, in block 80, n is stored as the product of large primes p and q, in block 82 pseudo- 
random v and t are stored, in block 84 the first computation is made and sent to the verifier who receives in 
so block 86 and then sends random bit a number of times for verifying calculations in blocks 88-98. Finally, a 
verification is made in block 100. The process may be carried out using the double convolution techniques 
described in the foregoing. 

While the invention has been described with respect to certain embodiments thereof, it will be 
appreciated by one skilled in the art that variations and modifications may be made without departing from 
55 the spirit and scope of the invention. 
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Claims 



1. A method of computing in a space-efficient and cryptographicaily-secure way a randomized variant of 
the modular product z = x*y (mod n) comprising the steps of: 

(a) storing two k-byte numbers x and y in memory of a smart card including memory, a 
microprocessor and I/O, 

(b) computing the i-th byte of the result of z' = x*y + r"n where y is a randomly chosen integer in a 
range [o,b] and n is the product of two large primes p and q, using double convolution by 

0) setting c = 0 

(ii) for i = 0, 1...k-1, computing 



(c) transmitting the low-order byte of t as z, via the I/O of the smart card, 

(d) repeating the computation and transmission of steps (b) and (c) using the number represented 
by the other bytes of t for c. 

2. A method of claim 1 including the further steps of: 

(e) receiving the transmitted bytes, and 

(f) recovering the product of the two k-byte numbers x and y (modulo n) from the received bytes. 

3. A method of encryption of a secret key K comprising the steps of: 

(a) storing a public key n (the product of two large primes p and q) in a EEPROM of a smart card 
having EEPROM, RAM, a microprocessor and I/O, 

(b) storing secret seeds sx and sr in the EEPROM, 

(c) establishing a session counter v and a byte index j in the EEPROM, 

(d) incrementing the session counter at the beginning of each communications session, 

(e) hashing sr, v and j and also sx, v and j into the j-th byte of r and x, respectively, in session v, 

(f) computing successive bytes of z*= x*x + r*n using the method of claim 1, 

(g) transmitting via the I/O successive bytes of z\ 

(h) defining the secret key K as some publicly known function of x. 

4. A method of identification in which an entity claims that it knows a secret value c related to the public 
values d and n by d = c*c (mod n), and proves it by using the steps of: 

(a) storing c and n (which is the product of two large primes p and q) in an EEPROM of a smart card 
having EEPROM, RAM, a microprocessor and I/O, 

(b) storing a secret seed sx and sn in the EEPROM, 

(c) establishing a multiplication counter v and a byte index j in the EEPROM, 

(d) incrementing the multiplication counter at the beginning of each modular multiplication in each 
proof of identity, 

(e) hashing sn, v and j and also sx, v and j into the j-th byte of r and x, respectively, in session v, 

(f) computing successive bytes of z' = x*x + r*n using the method of claim 1 , 

(g) transmitting via the I/O successive bytes of z\ 

(h) receiving from the verifier a random bit, 

(i) based on the bit. sending either x or a randomized version of x"c (mod n), according to the 
method of claim 1, 

(j) repeating steps (d) to (i) one or more times to reduce the probability of cheating. 

5. Apparatus for computing in a space-efficient and cryptographically-secure way a randomized variant of 
the modular product z = x*y (mod n) comprising: 

(a) means for storing two k-byte numbers x and y in memory of a smart card including memory, a 
microprocessor and I/O, 

(b) means for computing the i-th byte of the result of z f = x*y + r*n where y is a randomly chosen 
integer in a range [o,b] and n is the product of two large primes p and q. using double convolution 
by 
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(i) setting c = 0 

(ii) for i = 0, 1...k-1, computing 



t - c ♦ £ (x/y^) ♦ £ (z a *n,. a ) 



(c) means for transmitting the low-order byte of t as z, via the I/O of the smart card. 
10 (d) means for repeating the computation and transmission of steps (b) and (c) using the number 

represented by the other bytes of t for c. 

6. Apparatus of claim 5 further comprising: 

(e) means for receiving the transmitted bytes, and 
rs (0 means for recovering the product of the two k-byte numbers x and y (modulo n) from the 

received bytes. 

7. Apparatus for encryption of a secret key K comprising: 

(a) means for storing a public key n (the product of two large primes p and q) in a EEPROM of a 
20 smart card having EEPROM, RAM, a microprocessor and I/O, 

(b) means for storing secret seeds sx and sr in the EEPROM, 

(c) means for establishing a session counter v and a byte index j in the EEPROM, 

(d) means for incrementing the session counter at the beginning of each communications session, 

(e) means for hashing sr, v and j and also sx, v and j into the j-th byte of r and x, respectively, in 
25 session v, 

(f) means for computing successive bytes of z* = x*x + r*n using the apparatus of claim 5, 

(g) means for transmitting via the I/O successive bytes of z\ 

(h) means for defining the secret key K as some publicly known function of x. 

30 a Apparatus for identification in which an entity asserts that it knows a secret value c related to the public 
values d and n by d = c*c (mod n), and proves it by using apparatus comprising: 

(a) means for storing c and n (which is the product of two large primes p and q) in an EEPROM of a 
smart card having EEPROM, RAM, a microprocessor and I/O, 

(b) means for storing a secret seed sx and sn in the EEPROM, 

35 (c) means for establishing a multiplication counter v and a byte index j in the EEPROM, 

(d) means for incrementing the multiplication counter at the beginning of each modular multiplication 
in each proof of identity, 

(e) means for hashing sn, v and j and also sx, v and j into the j-th byte of r and x, respectively, in 
session v, 

40 (0 means for computing successive bytes of z' = x*x + r*n using the apparatus of claim 5, 

(g) means for transmitting via the I/O successive bytes of z\ 

(h) means for receiving from the verifier a random bit. 

(i) means for sending either x or a randomized version of x*c (mod n), based on the bit. using the 
apparatus of claim 5, and 

45 fl) means for repeating steps (d) to (i) one or more times to reduce the probability of cheating. 



50 



55 



6 



EP 0 682 327 A2 






7 



EP 0 682 327 A2 



SENDER OF KEY K 



STORE IN EEPROH THE PUBLIC 
KEY m, THE PRODUCT OF LARGE 
PRIMES p AND q 
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STORE IN EEPROM RANDOM 
SECRET SEEDS sx AND sr 



ESTABLISH SESSIONS COUNTER v 
IN EEPROM AND INCREMENT AT 
BEGINNING OF EACH 
COMMUNICATION SESSION 
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ESTABLISH BYTE INDEX 
j IN EEPROM 
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HASH sx. v AND j INTO j-th 
BYTE OF x IN SESSION v 



HASH sr, v AND j INTO j-th 
BYTE OF r IN SESSION v 
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COMPUTE SUCCESSIVE BYTES OF 
z'=x» x =r»n USING DOUBLE 
CONVOLUTION METHOD 
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RECEIVER OF KEY K 



RECEIVE SUCCESSIVE 
BYTES OF z' 



FIG.2 
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COMPUTE x AS THE SQUARE 
ROOT OF z' (MOD n ), AND 
EXTRACT THE KEY K BY 
APPLYING THE PUBUCLY 
KNOWN FUNCTION TO x. 
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p AND q AND SECRET 
NUMBER c 
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STORE IN EEPROM PSUEDO- 
RANDOM v AND t IN [ o.b ], 
WHERE b IS SUBSTANTIALLY 
LARGER THAN n (e.q. BY AT 
LEAST 64 BITS) 
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SELECT PSEUDO-RANDOM 
NUMBERS x IN [ o,n ] AND 

r IN [ o.b ], COMPUTE 
z' = x *x=r»n AND TRANSMIT 
TO VERIFIER 
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BASED ON RANDOM BIT FROM 
VERIFIER, SEND EITHER x OR 
w' = x*c+fcn FOR PSUEDO- 
RANDOM t IN [ o,b ] AND 
TRANSMIT TO VERIFIER 
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RECEIVE AND VERIFY THAT 
EITHER z' = x«x (MOD n) OR 
( W , )2 SS 2» * d (MOD n). BA! 
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ON THE RANDOM BIT 
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REPEAT COMPUTATIONS AND 
TRANSMIT TO VERIFIER 
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BIT TO PROVER ONE OR 
MORE TIMES 
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VERIFYING COMPUTATIONS 
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VERIFICATION 
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